The attackers gained access to the company's IT systems and obtained credentials for digital asset settlement accounts, enabling them to transfer the cryptocurrency without authorization.
Following the breach discovery, Bitcoin Depot said it activated its incident response protocols and engaged external cybersecurity experts to investigate the attack vector and secure remaining assets. The company also notified law enforcement authorities, though it did not specify which agencies are involved in the investigation.
Despite the settlement account compromise and loss of assets, Bitcoin Depot stated that its customer-facing platforms and user data remained unaffected by the intrusion.
Bitcoin Depot has yet to make a public statement on the breach, as of this writing, aside from the SEC filing. Decrypt reached out to a company spokesperson for comment, but did not immediately receive a response.
The company classified the incident as material to its operations, citing potential reputational damage alongside legal, regulatory, and incident response costs. Bitcoin Depot recorded a preliminary loss estimate of $3.665 million based on Bitcoin's value at the time of the theft.
The disclosure did not specify whether the company maintains insurance coverage for digital asset thefts or how the loss might impact its Bitcoin ATM liquidity operations across its machine network.
Bitcoin ATM operators have emerged as attractive targets for cybercriminals due to the significant cryptocurrency reserves they must maintain to facilitate customer transactions. These firms face unique security challenges as they bridge physical cash-to-crypto infrastructure with digital custody systems.
